<% iam_resource_name = "#{resource_name(object, product)}_iam_policy" -%>
---
title: About the <%= iam_resource_name -%> resource
platform: gcp
---

## Syntax
A `<%= iam_resource_name -%>` is used to test a Google <%= object.name -%> Iam Policy resource

## Examples
<%
individual_url = object.iam_policy.base_url || object.self_link || object.base_url + '/{{name}}' 
identifiers = extract_identifiers(individual_url)
identifiers_out = identifiers.map { |id| "#{id.underscore}: #{id.inspect}" }.join(', ')
-%>
```
describe <%= iam_resource_name -%>(<%= identifiers_out -%>) do
  it { should exist }
end

<%= iam_resource_name -%>(<%= identifiers_out -%>).bindings.each do |binding|
  describe binding do
    its('role') { should eq 'roles/editor'}
    its('members') { should include 'user:testuser@example.com'}
  end
end
```
<% if object.iam_policy.iam_conditions_request_type == :REQUEST_BODY -%>

This resource supports [IAM conditions](https://cloud.google.com/iam/docs/conditions-overview).
<% end -%>

## Properties
Properties that can be accessed from the `<%= iam_resource_name -%>` resource:

  * `iam_binding_roles`: The list of roles that exist on the policy.

  * `bindings`: Associates a list of members to a role.

    * `role`: Role that is assigned to members. For example, roles/viewer, roles/editor, or roles/owner.

    * `members`: Specifies the identities requesting access for a Cloud Platform resource.

<% if object.iam_policy.iam_conditions_request_type == :REQUEST_BODY -%>
    * `condition`: Contains information about when this binding is to be applied.

      * `expression`: Textual representation of an expression in Common Expression Language syntax.

      * `title`: An optional title for the expression, i.e. a short string describing its purpose.

      * `description`: An optional description of the expression. This is a longer text which describes the expression.

<% end -%>
  * `audit_configs`: Specifies cloud audit logging configuration for this policy.

    * `service`: Specifies a service that will be enabled for audit logging. For example, `storage.googleapis.com`, `cloudsql.googleapis.com`. `allServices`  is a special value that covers all services.

    * `audit_log_configs`: The configuration for logging of each type of permission.

      * `log_type`: The log type that this config enables. For example, ADMIN_READ, DATA_WRITE or DATA_READ

      * `exempted_members`: Specifies the identities that do not cause logging for this type of permission.


<% unless @api.apis_required.empty? -%>

## GCP Permissions

<% @api.apis_required.each do |api| -%>
Ensure the [<%= api.name -%>](<%= api.url -%>) is enabled for the current project.
<% end # @api.apis_required.each -%>
<% end # unless @api.apis_required.empty? -%>
